# Auth0 Logs

## Overview

Panther ingests Auth0 tenant logs by configuring [Auth0's log streaming service](https://auth0.com/docs/customize/log-streams) to post events to a Panther [HTTP source](https://docs.panther.com/data-onboarding/data-transports/http).

## How to onboard Auth0 logs to Panther

### Step 1: Create a new Auth0 source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for “Auth0,” then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.\
   ![The Auth0 log source setup page is shown, in the Panther Console. In the upper-right corner, the Transport Mechanism dropdown has a value of "HTTP," and to its right is a Start Setup button. Both are circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-0d6b21fee1726ba875973ff39eb2f5aa758dba44%2FScreenshot%202023-06-07%20at%204.35.28%20PM.png?alt=media)
5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * During setup, on the security configuration page, you will be required to use [bearer authentication](https://docs.panther.com/data-transports/http#bearer); this is the only method of authentication Auth0 supports. You can generate a token value by clicking the circular arrows, or supply your own.

     ![A section titled "Bearer Authentication" is shown. To the right of a "Bearer Token Value" field there is a button with two arrows arranged in a circle, and this button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-11e00f12cdb0213d36a3b07584633f413a3cacaf%2Fimage.png?alt=media)
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements).
   * Do not proceed to the next step until the creation of your HTTP endpoint has completed.

### Step 2: Create a new Log Stream in Auth0

1. Log in to your Auth0 tenant.
2. From the dashboard, navigate to **Monitoring** > **Streams**.
3. Click **Create Stream**.
4. Select **Custom Webhook**.
5. Give your Event Stream a descriptive name, e.g., `Panther Log Stream`.
6. In the **Payload URL** field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process.
7. In the **Authorization Token** field, enter the bearer token you used in [Step 1](#step-1-create-a-new-auth0-source-in-panther), being sure to include `Bearer` . The complete format should be `Bearer <token value>`.
8. Click **Save**.

## Panther-managed detections

See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Auth0 in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/auth0_rules).

## Supported log types

### Auth0.Events

Auth0.Events are event logs from the Auth0 log stream. For more information, see [Auth0's documentation on tenant log events](https://auth0.com/docs/deploy-monitor/logs).

````yaml
```yaml
schema: Auth0.Events
description: Event logs from Auth0 Log Stream
referenceURL: https://auth0.com/docs/deploy-monitor/logs
fields:
  - name: log_id
    required: true
    description: The ID of the log.
    type: string
  - name: asdfg
    type: array
    validate:
      allow: ['authentication']
    element:
      type: string
  - name: data
    required: true
    description: The data object containing information about the log.
    type: object
    fields:
      - name: date
        description: Date/Time when the event occurred.
        type: timestamp
        isEventTime: true
        timeFormats:
          - rfc3339
      - name: type
        description: Type of event.
        type: string
      - name: description
        description: Description of this event.
        type: string
      - name: connection
        description: Name of the connection the event relates to.
        type: string
      - name: connection_id
        description: ID of the connection the event relates to.
        type: string
      - name: client_id
        description: ID of the client (application).
        type: json
      - name: client_name
        description: Name of the client (application).
        type: string
      - name: ip
        description: IP address of the log event source.
        indicators:
          - ip
        type: string
      - name: client_ip
        type: string
        description: IP address of the client which caused the event.
        indicators:
          - ip
      - name: hostname
        description: Hostname the event applies to.
        type: string
      - name: user_id
        description: ID of the user involved in the event.
        type: string
        indicators:
          - username
      - name: user_name
        description: Name of the user involved in the event.
        type: json
      - name: audience
        description: API audience the event applies to.
        type: string
      - name: scope
        description: Scope permissions applied to the event.
        type: json
      - name: strategy
        description: Name of the strategy involved in the event.
        type: string
      - name: strategy_type
        description: Type of strategy involved in the event.
        type: string
      - name: details
        description: Additional useful details about this event (structure is dependent upon event type).
        type: json
      - name: log_id
        description: Unique ID of the event.
        type: string
      - name: is_mobile
        description: Whether the client was a mobile device (true) or desktop/laptop/server (false).
        type: boolean
      - name: user_agent
        description: User agent string from the client device that caused the event.
        type: string
      - name: location_info
        description: Information about the location that triggered this event based on the IP.
        type: object
        fields:
          - name: country_code
            description: Two-letter Alpha-2 ISO 3166-1 country code.
            type: string
          - name: country_code3
            description: Three-letter Alpha-3 ISO 3166-1 country code.
            type: string
          - name: country_name
            description: Full country name in English.
            type: string
          - name: city_name
            description: Full city name in English.
            type: string
          - name: latitude
            description: Global latitude position.
            type: float
          - name: longitude
            description: Global longitude position.
            type: float
          - name: time_zone
            description: Time zone name as found in the tz database.
            type: string
          - name: continent_code
            description: Two-letter continent code.
            type: string
```
````


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/auth0.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.